Web bugs can have serious risks, especially when they fester for eight months.

When my neighbor called early Wednesday morning, she sounded close to tears. Her Yahoo Mail account had been hijacked and used to send spam to addresses in her contact list. Restrictions had then been placed on her account that prevented her from e-mailing her friends to let them know what happened.

In a blog post published hours before my neighbor's call, researchers from security firm Bitdefender said that the hacking campaign that targeted my neighbor's account had been active for about a month. Even more remarkable, the researchers said the underlying hack worked because Yahoo's developer blog runs on a version of the WordPress content management system that contained a vulnerability developers addressed more than eight months ago. My neighbor's only mistake, it seems, was clicking on a link while logged in to her Yahoo account.

As someone who received one of the spam e-mails from her compromised account, I know how easy it is to click such links. The subject line of my neighbor's e-mail mentioned me by name, even though my name isn't in my address. Over the past few months, she and I regularly sent messages to each other that contained nothing more than a Web address, so I thought nothing of opening the link contained in Wednesday's e-mail. The page that opened looked harmless enough. It appeared to be an advertorial post on MSNBC.com about working from home, which is something I do all the time. But behind the scenes, according to Bitdefender, something much more nefarious was at work.

That's because the page viewed by me—and earlier by my neighbor—included JavaScript that instructed our browsers to turn over any stored cookies Yahoo may use to log its millions of users into their accounts. Normally, an iron-clad security restriction baked into every major browser makes these types of hacks impossible. Known as the same-origin policy, it allows a website to read only cookies that originate with that website, or one of its subdomains. In other words, example.com can retrieve cookies that were set by example.com or subdomain.example.com—but not by arstechnica.com, www.arstechnica, or any other site or subdomain.

The vulnerability that WordPress patched last April was known as a reflected cross-site scripting bug (or just "reflected XSS") and allowed attackers to bypass this important restriction. According to Bitdefender, the XSS bug resided in file upload code included on developer.yahoo.com as recently as Wednesday morning. The vulnerability allowed the attackers to bounce their cookie-stealing JavaScript off the yahoo.com domain and back to the browser of anyone visiting the malicious Web page.

"It's a little bit like money laundering," Jeff Williams, a Web application security expert and CEO of Aspect Security, told Ars, referring to reflected XSS attacks. "You take your script, and you send it through developer.yahoo.com, and when it comes into your browser, now it's clean. It runs as developer.yahoo.com and it can access your cookie."

Once hackers possess a Yahoo authentication cookie, they can log in to the corresponding account and send spam, siphon the address book, and control other key functions for as long as the cookie is valid, or until the user logs off. In some cases cookie-stealing attacks work only when a victim clicks a malicious link while logged in to the targeted service.

According to the Open Web Application Security Project, XSS vulnerabilities are the number two threat faced by websites, just behind another serious vulnerability that permits so-called SQL injection attacks. XSS vulnerabilities are to websites as dandelions are to a suburban lawn. They're almost impossible to eradicate even by a watchful groundskeeper. Left to their own devices, they soon run rampant. Most XSS bugs are inconsequential, but every now and then they make the difference between an account getting hacked or remaining secure, as my neighbor now knows.

If Bitdefender researchers are correct in saying the campaign targeting Yahoo accounts began roughly a month ago, and that the hack worked because administrators didn't apply a patch released more than eight months ago, this is a serious misstep on the part of Yahoo admins. Add to that Yahoo's failure to warn its users once the attacks became public and its PR department's failure to reply to my e-mail inquiries and it's even harder to excuse what's happened here. What's more, a report released Tuesday by security firm Imperva details a separate SQL injection attack that last month gave hackers control over Yahoo servers, suggesting that such problems are systemic.

Given the huge financial and competitive strains the company faces, an about-face doesn't look likely anytime soon. That's why I suggested my neighbor switch to Gmail. Google's service is by no means perfect, but it has been the undisputed leader in Web mail security. It was the first to offer always-on HTTPS protection that encrypts mail sessions from start to finish, and it employs world-class security experts who recognize that their users' lives may depend on the integrity of their e-mail accounts. (In the case of dissidents in China and other countries with repressive governments, this may be literally true).

Closing out an e-mail account can be a hassle, but already my neighbor is looking forward to a new beginning.

"I'm sorry to report that my e-mail was hacked this morning and many of you probably got messages from me inviting you to open a link," she wrote in a message sent from her new Gmail account. "May your day be uncluttered, no more nonsense!"

Update

On Thursday afternoon, Yahoo officials released the following statement:

Yahoo! takes security and our users' data seriously. We recently learned of a vulnerability from an external security firm and confirm that we have fixed the vulnerability. We encourage concerned users to change their passwords to a strong password that combines letters, numbers, and symbols; and to enable the second login challenge in their account settings.

There's no evidence that weak passwords or a lack of a second login challenge played any role in the hacking campaign.

Promoted Comments

This happened to me more than 6-7 months ago. I was lucky I do not actively use the contact list but I still had to apologize to like 20 people.

I spent ridiculous amount of time trying to find out how I screwed up. Changed passwords for several services that shared the same password (I only use this password for highly trusted services like paypal), tracked logins and what not. I was so convinced it was my fault... if only you wrote this article at the time. I even wrote to customer support at yahoo and received no answer.

In the borrowed illustration, "bank.com" should read "developer.yahoo.com", and add an earlier step 0 where the attacker uploads their script there.

@ergomane: subdomains can access cookies from their domain root, as specified in RFC 2109 & 2965. Like most portal sites, Yahoo stores its login cookies in .yahoo.com so that users persist across all of their various properties.

74 Reader Comments

Not applying the patch is indeed a failure by the admins, but a worse failure is to allow the developer. subdomain that runs unverified third-party (and low quality) software access to cookies from (sub)domains that need a higher level of containment. Proper separation wouldn't have allowed the XSS issue on the blog to influence rather mission critical parts of the infrastructure.

This happened to me more than 6-7 months ago. I was lucky I do not actively use the contact list but I still had to apologize to like 20 people.

I spent ridiculous amount of time trying to find out how I screwed up. Changed passwords for several services that shared the same password (I only use this password for highly trusted services like paypal), tracked logins and what not. I was so convinced it was my fault... if only you wrote this article at the time. I even wrote to customer support at yahoo and received no answer.

In the borrowed illustration, "bank.com" should read "developer.yahoo.com", and add an earlier step 0 where the attacker uploads their script there.

@ergomane: subdomains can access cookies from their domain root, as specified in RFC 2109 & 2965. Like most portal sites, Yahoo stores its login cookies in .yahoo.com so that users persist across all of their various properties.

People should really stop using Yahoo! Mail and switch to other (safer) webmail services (like Gmail).

I've thought about switching to Hotmail/Outlook (I will never use Google service for anything serious!) but switching away from 15 year old e-mail used for countless of account is not an easy job. Also the actual features of Yahoo are not bad these days and it is not some local provider that can just disappear tomorrow. The incentive to move away from Yahoo for me is pretty low (practically only Hotmail and Gmail are better) and the cost is very high.

Anyone with a Yahoo mail account should start to migrate away to a better service ASAP. However, I know it can be very difficult to get all your contacts to start using your new address: I had used a Yahoo account as my main address for many years - since they were the first major to offer free pop access - and I still can't quite take the plunge to close it, just in case some old contact needs to find me.

I say this even though my account has been hacked several times (four or more) over the past two to three years, each time in seemingly the same way. I don't use a web browser to read my mail, only the mail program on my mac, so I'm fairly sure it's not even dependent on my behaviour, and there would be no way that I could stop it happening (short of closing the service).

Every time it has happened so far, I have reset my password, logged on, and checked my 'recent activity'. Each time I can clearly see the same pattern: no activity from me for a long time (months, years) before the attack, then a log on to Yahoo Mobile in India (or similar), followed by an immediate log on to web mail and then all the spam is sent.

I know this is a known problem as it's well documented online.

Each time, I have wearily contacted customer services asking them to do something such as disable all services like mobile and each time I get some clueless guy who just tells me the same line about not telling anyone my password.

I have done everything I can do myself (disable everything I can, delete all my contacts in webmail etc) but it doesn't help and I am just waiting for the next hack to give me another push nearer to clicking that 'close account' button.

I have come to the conclusion that Yahoo is in terminal decline and are simply unable to find the required resources needed to provide an adequately secure mail service. These sort of problems will never be fully fixed, if anything they will get worse as they muck about adding crappy features is a sloppy, under-engineered way.

Okay, I guess I'm stupid and missed something - Regardless of the security issue in wordpress, mail.yahoo.com is a different domain.

These are two different subdomains. Why . . . regardless of the security hole in the blogging software . . . was one subdomain able to access cookies in another subdomain?

That portion of things seems the bigger concern - I shouldn't have to trust any particular site to be up to date, I should be able to trust my browser to not allow that access regardless?

Jonnan

When cookies are set, they can be set for e.g. ".yahoo.com" which would allow them to be accessed by any subdomain of yahoo.com. That's a pretty common practice, so visitors can be tracked (and/or authenticated) across all of a company's subdomains.

"I'm sorry to report that my e-mail was hacked this morning and many of you probably got messages from me inviting you to open a link," she wrote in a message sent from her new Gmail account. "May your day be uncluttered, no more nonsense!"

People should really stop using Yahoo! Mail and switch to other (safer) webmail services (like Gmail).

I've thought about switching to Hotmail/Outlook (I will never use Google service for anything serious!) but switching away from 15 year old e-mail used for countless of account is not an easy job. Also the actual features of Yahoo are not bad these days and it is not some local provider that can just disappear tomorrow. The incentive to move away from Yahoo for me is pretty low (practically only Hotmail and Gmail are better) and the cost is very high.

2 questions - 1. why not Google? gmail is probably the best online email, outlook requires an email account - either from a hosted domain or a pop server like gmail or hotmail

2. Did you not just read the article? No one said anything about the featues

Wasnt there something about Facebook being able to track your surfing habits in other tabs/browsers if you`d left it open in the background?

Eh? It doesn't need to be open in a tab.

1. If they are amateurs, they can track your surfing habits across sites that have Facebook like buttons while you're logged into Facebook.2. If they are professionals, they can track your surfing habits across sites that have Facebook like buttons by assuming your ip address is you or otherwise fudging your identity (e.g. taking a hash of the fonts and plugins you have installed and using that as a unique id). They don't need to be 100% accurate. Advertising can get away with close enough.3. If they are a hostile party targeting you specifically, they can determine what other sites of interest you've visited by creating a bunch of hidden links when you visit their website (Facebook in this case) and testing which of the links your browser is styling as :visited.

I've seen 8 people since Christmas get their Gmail account hacked and a phishing/script email sent in the same fashion described in this article.

In fact, it doesn't seem to be just those I know. You can do a google search "gmail hacked" and find plenty of others writing blog posts of recent hack-jobs on Gmail.

My search-fu is weak. Could you help? I haven't been able to find a recent case of a Gmail account being hacked because of a bug/vulnerability in Google's software as was the case in the Yahoo! hack.

For me, "gmail hacked" shows plenty of hits, but it's difficult to sift through them to find cases of email hacking where the vulnerable software under attack was Google's. Do I need another cup of coffee, or is this actually commonplace?

I've seen 8 people since Christmas get their Gmail account hacked and a phishing/script email sent in the same fashion described in this article.

In fact, it doesn't seem to be just those I know. You can do a google search "gmail hacked" and find plenty of others writing blog posts of recent hack-jobs on Gmail.

My search-fu is weak. Could you help? I haven't been able to find a recent case of a Gmail account being hacked because of a bug/vulnerability in Google's software as was the case in the Yahoo! hack.

For me, "gmail hacked" shows plenty of hits, but it's difficult to sift through them to find cases of email hacking where the vulnerable software under attack was Google's. Do I need another cup of coffee, or is this actually commonplace?

I think he meant to say "I've seen 8 people use their gmail address and password to sign up for everything under the sun and one of these services signed into their gmail accound and started sending spam"

I've seen 8 people since Christmas get their Gmail account hacked and a phishing/script email sent in the same fashion described in this article.

In fact, it doesn't seem to be just those I know. You can do a google search "gmail hacked" and find plenty of others writing blog posts of recent hack-jobs on Gmail.

My search-fu is weak. Could you help? I haven't been able to find a recent case of a Gmail account being hacked because of a bug/vulnerability in Google's software as was the case in the Yahoo! hack.

For me, "gmail hacked" shows plenty of hits, but it's difficult to sift through them to find cases of email hacking where the vulnerable software under attack was Google's. Do I need another cup of coffee, or is this actually commonplace?

I think he meant to say "I've seen 8 people use their gmail address and password to sign up for everything under the sun and one of these services signed into their gmail accound and started sending spam"

I have not seen a single example of a successful Gmail hack that has 2-factor enabled.

People should really stop using Yahoo! Mail and switch to other (safer) webmail services (like Gmail).

I've thought about switching to Hotmail/Outlook (I will never use Google service for anything serious!) but switching away from 15 year old e-mail used for countless of account is not an easy job. Also the actual features of Yahoo are not bad these days and it is not some local provider that can just disappear tomorrow. The incentive to move away from Yahoo for me is pretty low (practically only Hotmail and Gmail are better) and the cost is very high.

2 questions - 1. why not Google? gmail is probably the best online email, outlook requires an email account - either from a hosted domain or a pop server like gmail or hotmail

2. Did you not just read the article? No one said anything about the featues

1. I don't like the company and I don't trust them. By Outlook I meant "outlook.com" which is the new name for Hotmail as far as I know. Typical bad marketing and confusing names from Microsoft.

2. Of course I read the article. My point was that if Outlook/Gmail provided much better features (which I care about) in addition to security I would have greater incentive to switch.

BTW I was really surprised that it wasn't my fault that my email got hacked. I always expected that the weakest link in security would be myself.

If Bitdefender researchers are correct in saying the campaign targeting Yahoo accounts began roughly a month ago, and that the hack worked because administrators didn't apply a patch released more than eight months ago, this is a serious misstep on the part of Yahoo admins.

No, it's not a serious misstep.

Not applying an 8 month old patch for a known vulnerability is gross professional negligence.

Interesting article Dan G. I'm aware of the theory behind XSS attacks but it was illuminating to read about a specific case.

It also sheds light on how some friends of mine got their main Yahoo account hacked last Summer. Similar MO to that mentioned above - access via an IP in India, spam sent out to contacts list but the b*stards also deleted all their emails. Surely Yahoo have a backup I hear you say? They might have but my friends didn't get their data back :-(

I use Yahoo myself and have done for over 10 years. I like the new client EXCEPT I hate the fact that if you accidentally hit the browser back button it takes you right out of the site! So you are reading an email, you hit back and boom it drops you right out. Gmail and Outlook.com take you back to the Inbox - why can't Yahoo!?

In terms of interface, I think the new Outlook.com is the most modern and impressive, it has features only normally seen on desktop clients - like you don't have to use tick boxes to select emails. But Gmail is good too, although I don't like the way it trys to coral you into setting up a Google+ profile.

Decisions, decisions, which one to go for, or do I nash my teeth and stick with Yahoo?

(Note to self: backup your Yahoo Inbox and Sent Items - 15,000 emails+ Do it now!!)

1. I don't like the company and I don't trust them. By Outlook I meant "outlook.com" which is the new name for Hotmail as far as I know. Typical bad marketing and confusing names from Microsoft.

Seriously off topic but...

One phenomenon I really don't understand is hating/fearing one big multinational company and trusting another. You see this a lot with Google, Microsoft and Apple fans. They *love* their company and trust them implicitly to protect them and look out for their interests, but think the other company is going to do something nefarious with their data or logins. This, though they all run highly similar services and collect very similar data. I just don't understand it.

If you're going to hate a company, at least do it because you don't like the way their products work.

I know MS has stepped up security over time, but migrating to hotmail instead of gmail because of "trust issues" seems to be a move willfully ignorant of security track records.

In terms of interface, I think the new Outlook.com is the most modern and impressive, it has features only normally seen on desktop clients - like you don't have to use tick boxes to select emails. But Gmail is good too, although I don't like the way it trys to coral you into setting up a Google+ profile.

Featurewise, Hotmail/Outlook.com is a joke compared to gmail and Yahoo.And that's if you want to use it in the browser - which you know, you pretty much DO for Hotmail because it STILL doesn't support IMAP.

There are perfectly legitemate reasons to not like one company over another. Using google wich you mentioned as an example. Google is an advertising company. I equate them with telemarketers or tv add companies. My experience with people trying to sell me things in the past makes me very cautious about dealing with them. Call me crazy.

As for any data COLLECTION arguments: Own any store cards that give you discounts and stuff? Like anything on Facebook? Congratulations, your personal information, purchasing habits, and things you like are being collected, correlated, and sold.

Setting their cookies to httpOnly would also have mitigated this attack. There's really no reason for Javascript to have access to cookies used for authentication.

I was thinking the same thing. Why wouldn't Yahoo just set their authentication cookies to HTTP-ONLY? It seems like such a simple step that would have largely avoided the problem. I'm not too familiar with the intricacies of this setting, so maybe there's a legitimate reason.

My coworker got hit by this about a month ago. At the time I thought it was just a clever spam operation — they took a legitimate MSNBC article on jobs and added some extra copy to promote a work-at-home scam operation, then hosted it with a typical phishing URL pretending to be msnbc.com. It came to light when people started emailing the MSNBC writer asking about this company that wasn't even in the article she wrote:

But if it's true that the bogus article itself was the attack vector used to compromise Yahoo accounts and then send still more links to the site, then that's a whole 'nother layer of sneakitude. These people are very clever.